CISOs decode return on security investment and cyber risk governance – ET CISO
https://etimg.etb2bimg.com/thumb/msid-113519576,imgsize-33392,width-1200,height=765,overlay-etciso/ciso-strategies/cisos-decode-return-on-security-investment-and-cyber-risk-governance.jpg
Rajesh Thapar, CISO of NSE, emphasized the evolving role of CISOs as business enablers. “CISOs need to be business enablers with knowledge of compliance and financial management. Skills have changed, and negotiation is needed. You need to be an influencer and convince stakeholders,” he said. Thapar highlighted the importance of presenting business-aligned metrics to secure more resources, underscoring the need for CISOs to speak the language of numbers when dealing with management.
Shivkumar Pandey, Group CISO of Adani Group, discussed the challenges of calculating ROSI. “Cybersecurity investment is complex. The ROCI metric itself is variable. First, you need to understand the business and its risk tolerance. Have periodic meetings with management to explain threats and speak in a language they understand,” Pandey explained. His approach stresses the importance of continuous communication and risk assessment.
On the governance front, Thapar pointed out the increasing accountability of boards through cyber risk governance frameworks. “Cyber risk governance gave structure. It makes the board accountable and ensures documentation is in place,” he added.
Both leaders agreed that ROSI frameworks are valuable internally but face challenges when dealing with regulators. “ROCI metrics are good for internal budgets, but for regulators, it’s about compliance,” Pandey concluded.